Integrating Darktrace with Wazuh
43 views
Skip to first unread message
stefanny chavez anto
May 20, 2026, 11:39:37 AM (3 days ago) May 20
to Wazuh | Mailing List
Good morning, I need help configuring the integration between Darktrace and Wazuh. I would like Wazuh to receive Darktrace logs so that alerts and incidents can be displayed on the Wazuh dashboard.
Olamilekan Abdullateef Ajani
May 20, 2026, 12:17:15 PM (3 days ago) May 20
to Wazuh | Mailing List
Hello,
Wazuh does not have a native Darktrace integration, so you may have to forward the logs via syslog. I did some research and noticed Darktrace can be configured to send JSON.
So the approach can be in 2 ways. Configure Darktrace to send logs directly to the Wazuh server as the syslog receiver, or use a rsyslog server to mediate between Darktrace and Wazuh for normalization and customization before the logs are forwarded to Wazuh.
The latter is more scalable and robust, so I would advise you to use that approach.
Ref:https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
https://wazuh.com/blog/how-to-configure-rsyslog-client-to-send-events-to-wazuh/
To configure the Wazuh manager as syslog, you need to modify the <ossec_config> tags of /var/ossec/etc/ossec.conf on the Wazuh server and add the remote block.
<remote>
<connection>syslog</connection>
<port>514</port> <!-- or a custom port like 5144 -->
<protocol>tcp</protocol> <!-- Darktrace recommends TCP for JSON -->
<allowed-ips>DARKTRACE_IP_HERE</allowed-ips>
<local_ip>WAZUH_MANAGER_IP</local_ip>
</remote>
<connection>syslog</connection>
<port>514</port> <!-- or a custom port like 5144 -->
<protocol>tcp</protocol> <!-- Darktrace recommends TCP for JSON -->
<allowed-ips>DARKTRACE_IP_HERE</allowed-ips>
<local_ip>WAZUH_MANAGER_IP</local_ip>
</remote>
You need to configure Darktrace to forward its logs, I found the documentation below, hope it helps.
https://docs.taegis.secureworks.com/integration/connectNetwork/darktrace_connect/
https://docs.taegis.secureworks.com/integration/connectNetwork/darktrace_connect/
You can enable the archive log by editing the /var/ossec/etc/ossec.conf file.
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
Then restart the Wazuh manager: systemctl restart wazuh-manager.
cat /var/ossec/logs/archives/archives.json | grep "darktrace"
Verify that you have the logs, then disable archiving by setting the values to no.
<ossec_config>
<global>
<logall>yes</logall>
<logall_json>yes</logall_json>
Then restart the Wazuh manager: systemctl restart wazuh-manager.
cat /var/ossec/logs/archives/archives.json | grep "darktrace"
Verify that you have the logs, then disable archiving by setting the values to no.
Remember, as there are no active integrations for darktrace, you may need to write rules for your logs, please refer to the documentation below for guidelines on that. If you require assistance on this, please let me know by sharing sample logs.
I await feedback from you.
stefanny chavez anto
May 20, 2026, 2:20:28 PM (3 days ago) May 20
to Wazuh | Mailing List
I followed the correct steps, but when I run this command, I get the following result:
cat /var/ossec/logs/archives/archives.json | grep "darktrace"
But nothing is showing up on my Wazuh dashboard.
Olamilekan Abdullateef Ajani
May 21, 2026, 8:36:55 AM (2 days ago) May 21
to Wazuh | Mailing List
Hello,
From the screenshot you shared, I can see, "decoder":{"name":"darktrace-json"} which means the log was successfully decoded by the darktrace-json decoder. The only missing piece is "rule":{"id":"xxxxx", ...} in the logs, which means the custom decoder you created matched successfully, but no rule matched afterward, resulting in no alert being generated.
What you need now is to create a custom rule to match the decoder you have created and see the resulting alert on the Discover dashboard.
You can start with something as little like
<group name="darktrace,custom,">
<rule id="111111" level="10">
<decoded_as>darktrace-json</decoded_as>
<match>Darktrace Autonomous Response</match>
<description>Darktrace Autonomous Response detected</description>
</rule>
</group>
And test the logs to confirm the field extracted with /var/ossec/bin/wazuh-logtest while ensuring the custom rule created also matched.
You can find more information on writing custom rules in the documentation below.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I await feedback from you.
From the screenshot you shared, I can see, "decoder":{"name":"darktrace-json"} which means the log was successfully decoded by the darktrace-json decoder. The only missing piece is "rule":{"id":"xxxxx", ...} in the logs, which means the custom decoder you created matched successfully, but no rule matched afterward, resulting in no alert being generated.
What you need now is to create a custom rule to match the decoder you have created and see the resulting alert on the Discover dashboard.
You can start with something as little like
<group name="darktrace,custom,">
<rule id="111111" level="10">
<decoded_as>darktrace-json</decoded_as>
<match>Darktrace Autonomous Response</match>
<description>Darktrace Autonomous Response detected</description>
</rule>
</group>
And test the logs to confirm the field extracted with /var/ossec/bin/wazuh-logtest while ensuring the custom rule created also matched.
You can find more information on writing custom rules in the documentation below.
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
I await feedback from you.
stefanny chavez anto
May 22, 2026, 12:15:18 AM (yesterday) May 22
to Wazuh | Mailing List
Good morning, I created the rule and when I run the command
/var/ossec/bin/wazuh-logtest
it shows me the following result:
Olamilekan Abdullateef Ajani
May 22, 2026, 10:56:23 AM (yesterday) May 22
to Wazuh | Mailing List
Hello,
For a start, you only need the full_log section of the log you shared to test as this represents how the log was ingested into Wazuh and not the complete json log. That said, the log contains heavily escaped json flags so you may need to investigate this from the source to find out how the events are tested.
I sanitized the logs to generate what you have below and tested with a decoder also shared below to ensure it works
The log:
1 2026-05-20T12:20:51-05:00 darktrace-dt-48985-02 darktrace - - - {"url":"https://darktrace-dt-48985-02/#actions/513/174","eventType":"Darktrace Autonomous Response","codeuid":""{codeid":174,"action_family":"NETWORK","action":"CREATE_NEEDSCONFIRMATION","username":"System","reason":"","start":1779297651,"end":1779301247,"did":513,"pbid":0,"action_creator":"","model":"Antigena / Network / Inside Threat / Antigena Large Data Volume Outbound Block","inhibitor":"Block connections to 10.10.10.15 port 8080, *.oaiusercontent.com, oaiusercontent.com and 192.168.1.20.gob.pe port 8080","resource_id":"","device":{"did":513,"macaddress":"AA:BB:CC:DD:EE:FF","vendor":"Dell Inc.","ip":"192.168.1.10","ips":[{"ip":"192.168.1.10"}],"timems":1779296400000,"time":"2026-05-20 17:00:00","sid":48,"hostname":"desktop01.gob.pe","firstSeen":1770053653000,"lastSeen":1779296458000,"os":"Windows","ossource":"NTLM","typename":"desktop","typelabel":"Desktop"}}"}
The decoder and rule also below:
<decoder name="darktrace-json">
<prematch>darktrace</prematch>
</decoder>
<decoder name="darktrace-json-fields">
<parent>darktrace-json</parent>
<regex type="pcre2">eventType":"([^"]+)".*?action_family":"([^"]+)".*?action":"([^"]+)".*?username":"([^"]*)".*?model":"([^"]+)".*?inhibitor":"([^"]+)".*?macaddress":"([^"]+)".*?vendor":"([^"]+)".*?ip":"([^"]+)".*?hostname":"([^"]+)".*?os":"([^"]+)"</regex>
<order>event_type,action_f,action,username,model,inhibitor,srcmac,vendor,srcip,hostname,os</order>
</decoder>
1 2026-05-20T12:20:51-05:00 darktrace-dt-48985-02 darktrace - - - {"url":"https://darktrace-dt-48985-02/#actions/513/174","eventType":"Darktrace Autonomous Response","codeuid":""{codeid":174,"action_family":"NETWORK","action":"CREATE_NEEDSCONFIRMATION","username":"System","reason":"","start":1779297651,"end":1779301247,"did":513,"pbid":0,"action_creator":"","model":"Antigena / Network / Inside Threat / Antigena Large Data Volume Outbound Block","inhibitor":"Block connections to 10.10.10.15 port 8080, *.oaiusercontent.com, oaiusercontent.com and 192.168.1.20.gob.pe port 8080","resource_id":"","device":{"did":513,"macaddress":"AA:BB:CC:DD:EE:FF","vendor":"Dell Inc.","ip":"192.168.1.10","ips":[{"ip":"192.168.1.10"}],"timems":1779296400000,"time":"2026-05-20 17:00:00","sid":48,"hostname":"desktop01.gob.pe","firstSeen":1770053653000,"lastSeen":1779296458000,"os":"Windows","ossource":"NTLM","typename":"desktop","typelabel":"Desktop"}}"}
The decoder and rule also below:
<decoder name="darktrace-json">
<prematch>darktrace</prematch>
</decoder>
<decoder name="darktrace-json-fields">
<parent>darktrace-json</parent>
<regex type="pcre2">eventType":"([^"]+)".*?action_family":"([^"]+)".*?action":"([^"]+)".*?username":"([^"]*)".*?model":"([^"]+)".*?inhibitor":"([^"]+)".*?macaddress":"([^"]+)".*?vendor":"([^"]+)".*?ip":"([^"]+)".*?hostname":"([^"]+)".*?os":"([^"]+)"</regex>
<order>event_type,action_f,action,username,model,inhibitor,srcmac,vendor,srcip,hostname,os</order>
</decoder>
Rule:
<group name="darktrace,">
<rule id="100700" level="10">
<decoded_as>darktrace-json</decoded_as>
<description>Darktrace Autonomous Response - $(action) from $(srcip) on $(hostname)</description>
</rule>
</group>
<group name="darktrace,">
<rule id="100700" level="10">
<decoded_as>darktrace-json</decoded_as>
<description>Darktrace Autonomous Response - $(action) from $(srcip) on $(hostname)</description>
</rule>
</group>
You can also test this on your side, please let me know.
Reply all
Reply to author
Forward
0 new messages